https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


Getty Images

Image shows server room 3d illustration with programming data design element.,concept of big data storage and cloud computing technology

New IoT Security Issue Can Breach Network Segments

Armis research finds vulnerabilities in Bluetooth Low Energy chips are making for a major IoT security risk.
  • Written by Courtney Bjorlin
  • 2nd November 2018

Vulnerabilities in chips made by Texas Instruments open enterprises to attacks that are capable of breaching even network segmentation, a major security strategy used to guard against the risks of IoT devices, according to research from Armis.

The Bluetooth Low Energy (BLE) chips are used in many products, according to Armis. The highest risk for the enterprise comes from the chips in the Wireless Access Points (WAP) made by Cisco, Meraki and Aruba. The vulnerabilities allow an unauthenticated attacker to broadcast a BLE beacon, take over the access points, spread malware and move laterally across network segments, according to Armis. The vulnerabilities can’t be detected or stopped by traditional network and endpoint security solutions, according to researchers.

As far as researchers know, such an attack has not happened outside the research done in the labs of the IoT security startup. But its risk signals two things to enterprises: that they need to view access points as unprotected and unmanaged devices, and that network segmentation, a primary security strategy, is at risk in the IoT age, according to Armis.

“There’s this virtual entity called the network. But it’s implemented by devices like any other IoT device,” said Ben Seri, vice president of research at Armis, an IoT security startup based in both Israel and Palo Alto. “There are no traditional security mechanisms that look at these attacks. This is something that is new in the marketplace. It can rise really fast.”

The good news is security updates for the so-called “BLEEDINGBIT” bug have already been provided by Texas Instruments. Cisco, Meraki and Aruba were expected to announce patches Thursday, and Armis researchers are confident the patches will address the vulnerabilities.

The bug gets its namesake because it is a lack of a masking of the highest (and most significant) bit in BLE packet’s length field, according to Armis. Turning this bit on will cause a memory corruption that can lead to RCE (remote code execution). This one bit will cause the entire chip to bleed, according to Armis.

The vulnerabilities are borne of two issues. First, a hacker can broadcast malicious BLE packets, and any vulnerable access point within range would be compromised. The hacker can use the BLE chip to compromise the main operating system and gain full control over it, according to Armis. This vulnerability impacts TI cc2640/50, embedded in Cisco and Meraki Wi-Fi access points.

A second issue comes from a feature left on in the BLE chip that was not supposed to be shipped in production. Using this over-the-air download (OAD) feature, the hacker can install a new and different version of firmware, effectively rewriting the operating system of the device, according to researchers. By abusing this feature, an attacker can gain a foothold on an access point through which he can penetrate secure networks, according to Armis. This issue affects Aruba Wi-Fi access point Series 300 with TI BLE chip (cc2540).

Most organizations that use these wireless access points don’t use the features enabled by the BLE chips, according to researchers. For that reason, in addition to applying the patches, researchers recommend turning off the BLE chip if the organization doesn’t need it.

In all, the vulnerabilities show the implications of chip firmware and unmanaged devices in enterprises.

“Every device should have a zero trust approach right now,” said Michael Parker, vice president of marketing for Armis.

Tags: Security News

Related


  • Image shows CCTV security camera monitoring on street.
    Verkada Security Camera Hack Hits Telsa; Cloudflare
    A cloud-based security camera firm was hit with a massive hack. Experts have likened the breach to the recent SolarWinds security event.
  • DeviceAuthority_healthcare-iot-001_1144x644
    Patient Health Data Is Increasingly Democratized--Despite Data Quality Issues
    People have access to more patient health data than ever generated by IoT and AI. But serious challenges have emerged with data quality and meaningful use of that data.
  • IoT security
    Dell Sells RSA Security for More Than $2 Billion
    Dell announced that it will sell RSA Security for more than $2 billion and pursue its own security strategy with greater focus.
  • Digital trust
    IoT Security: Open-Source Effort Promotes Enterprise Trust 
    The Linux Foundation’s Project Alvarium aims to harness collective wisdom to create enterprise trust and drive IoT security. 

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • RISC-V IoT Security Approach Could Change Processor Market
  • IoT 2018: The Top 10 Articles of the Year
  • Siemens’ Strategy to Secure the Industrial Internet of Things
  • Facial Recognition Scanning Taking off Across US

News

View all

Webex Collaboration Banks on Hybrid Workplace Model at Cisco Live 2021

2nd April 2021

Cisco Enlists Networking Automation, CX Cloud in COVID-19 Response

31st March 2021

White Papers

View all

Telehealth and COVID Infographic

30th March 2021

Medical Supply Chain Management with Smart Devices and Sensors

30th March 2021

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

Weber’s Journey: How a Top Grill Maker Serves Up Connected Cooking

25th February 2021

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

Embedded IoT World 2021

28th April 2021 - 29th April 2021

The Virtual Industrial AI Summit

29th June 2021 - 30th June 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

🥳Happy #IoTDay! How are you celebrating? We're giving $50 off All Access Passes to join our upcoming virtual event,… twitter.com/i/web/status/1…

9th April 2021
IoTWorldToday, IoTWorldSeries

🎉 Announcing #EIOTWORLD sponsor, @InnoPhaseinc — a fabless wireless semiconductor platform company specializing in… twitter.com/i/web/status/1…

8th April 2021
IoTWorldToday, IoTWorldSeries

Digital Health Infrastructure Benefits From Cloud-to-Edge Architecture dlvr.it/RxBwQ4 https://t.co/AILVdUVWDA

7th April 2021
IoTWorldToday, IoTWorldSeries

Meet the #EIOTWORLD keynote lineup: Google, Facebook, Linux Foundation, STMicroelectronics, Antmicro, OpenHW Group,… twitter.com/i/web/status/1…

6th April 2021
IoTWorldToday, IoTWorldSeries

Network Data Analytics Supports Back-to-Work Health and Safety dlvr.it/Rx5xlL https://t.co/VvxxpdUMJ3

6th April 2021
IoTWorldToday, IoTWorldSeries

IoT Cybersecurity Act Places Security Onus on Device Makers dlvr.it/Rx2jHK https://t.co/fyd3nQ1r1Z

5th April 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X